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BACKGROUND OF THE INVENTION 

The present invention relates generally to a 
technique for ensuring security in a computer network. 
More particularly, the present invention is concerned 
5 with a method of realizing an elliptic curve cryptography 
(encryption/decryption), an apparatus for carrying out 
the method and a recording medium for storing the same in 
the form of a program executable with a computer. 

The elliptic curve cryptography (encryption/ 

10 decryption) is one of the public key cryptology 
algorithms invented by V. Miller and N. Koblitz 
independently. As the postulation for the public-key 
cryptograph technology imposed from the viewpoint of 
security, discovery of a private key on the basis of the 

15 counterpart public key laid open to the general public 

must be made impossible in practice. On the other hand, 
the public key cryptosystem requires intrinsically a lot 
of time for encryption and decryption when compared with 
the private key cryptosystem. Thus, in the present state 

20 of the art, there exists a great demand for a high-speed 
processing technique for enabling encryption and 
decryption in the public key cryptosystem. Under the 
circumstances, as the public key cryptograph technique 
which can satisfy both requirements for the security and 

25 the high-speed processing susceptibility which are, so to 



say, contradictory to each other, the elliptic curve 
cryptography which has more competence for dealing with 
the above problem than the RSA (Rivest, Shamir & Adleman) 
cryptography and the ElGamal cryptography both known 
heretofore is now attracting attention. 

The elliptic curve cryptograph can be 
represented by the standard form of an elliptic curve in 
a finite prime field, i.e., y 2 = x 3 + ax + b (4a 3 + 27b 2 
* 0) or alternatively by the standard form of an elliptic 
curve in a finite field of characteristic 2 (which may 
also be referred to as the extension field of "2"), i.e., 
y 2 + xy = x 3 + ax 2 + b (b * 0) . By adding a point at 
infinity to the points on such curve, an Abelian group is 
made available. In this conjunction, the Abelian group 
arithmetic will be represented by plus sign (+). 
Further, in conjunction with the arithmetics for X and Y 
which differ from each other, "X + Y" will be referred to 
as the addition arithmetic. Furthermore, "X + X" will be 
referred to as the doubling arithmetic and represented by 
"2X" . 

In order to facilitate computations involved in 
the elliptic curve cryptography, a point (X, Y) on an 
elliptic curve in the affine coordinate system may also 
be expressed in terms of the projective coordinates. At 
this juncture, let's suppose the projective coordinate 
system in which [X, Y, Z] = [A 2 X, A 3 Y, AZ] applies valid 
for a given X * 0. Then, there can be established such 
correspondences between the affine coordinates and the 
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projective coordinates as mentioned below. Namely, the 
affine coordinates (x, y) can be represented by the 
projective coordinates [x, y, 1] while the projective 
coordinates [X, Y, Z] can be represented by the affine 
5 coordinates (X/(Z) 2 , Y/(Z) 3 ). Further, in the projective 
coordinate system, it applies valid that -[X, Y, Z] = [X, 
-Y, Z]. 

In the elliptic curve cryptography, an elliptic 
curve in a finite field is made use of for making usable 

10 a set of points which constitutes a finite field of the 
elliptic curve. In this conjunction, the order of the 
elliptic curve is represented by a number of points of 
the elliptic curve. In the following, the result of 
addition of "P" s. times, i.e., P + P + ... + P where the 

15 number of "P" is s., will be referred to as the 

s-multiplied point of "P". When the arithmetic for 
determining the s-multiplied point of P is represented by 
"sP" , the order of the point "P" on the elliptic curve is 
given by n = 112 which satisfies the conditions that nP = 

20 0, 1 < m < n and mP # 0. 

The key for the elliptic curve cryptography is 
composed of an elliptic curve, a base point, a public key 
and a private key. In more concrete, the key of the 
elliptic curve cryptograph is composed of coefficients a 

25 and b of the elliptic curve, the point P (base point) 

whose order is a prime number, a finite field element d 
(private key) and a point Q (public key) given by a 
product of the base point multiplied by the private key 
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(i.e., Q = dp). Incidentally, it is to be added that the 
elliptic curve, the base point and the public key are the 
laid-open information. Further, the public key and the 
private key assume respective values which differ from 
5 one to another user, while the elliptic curve and the 
base point assume respective values which are common to 
the users . 

In the elliptic curve cryptography, a scalar 
multiplication (sR) arithmetic for a given point R is 

10 adopted for the data encryption, generation of a digital 
signature and the verification of the digital signature . 
The scalar multiplication can be realized through 
combination of the addition arithmetic and the doubling 
arithmetic mentioned previously. However, computation 

15 for each of such addition arithmetic and doubling 

arithmetic necessarily requires execution of division 
arithmetic once. In general, division of the finite 
field takes lots of time. For this reason, efforts have 
heretofore been paid for establishing such a computation 

20 method which can avoid the division arithmetic. 

As an approach for evading the division of the 
finite field, addition arithmetic and doubling arithmetic 
in the projective space as well as expressions or 
formulae for realization thereof have already been 

25 proposed. For more particulars, reference should be made 
to D.V. Chudnovsky and G.V. Chudnovsky: "SEQUENCES OF 
NUMBERS GENERATED BY ADDITION IN FORMAL GROUPS AND NEW 
PRIMALITY AND FACTORIZATION TESTS", Advances in Applied 



Mathematics , 7. 385-434, 1986. In this conjunction, it 
is noted that the computation time taken for the prime 
field multiplication is ordinarily by far longer than 
that taken for the prime field addition/subtraction. 
Thus, the overall computation time or overhead can be 
evaluated on the basis of the number of arithmetic 
processes involved in the prime field multiplication. In 
that case, the addition arithmetic requires execution of 
the prime field multiplication (inclusive of squaring 
arithmetic) sixteen times. In the doubling arithmetic, 
the prime field multiplication has to be performed ten 
times. For more particulars, reference is to be made to 
the literature cited above. Further, it is reported that 
for the coefficient a of the elliptic curve, residual 
multiplication arithmetic has to be performed eight times 
in the case where a = -3. 

Further, according to the teachings disclosed 
in P. Montgomery: "SPEEDING THE POLLARD AND ELLIPTIC 
CURVE METHODS OF FACTORIZATION", Mathematics of 
Computation Vol. 48, No. 177, pp. 243-264 (1987), it is 
reported that when the standard form of an elliptic curve 
in a finite prime field, i.e., By 2 = x 3 + Ax 2 + Bx, is 
employed for addition of points PO(xO, yO) and Pl(xl, yl) 
as given by P3(x3, y3) and subtraction thereof as given 
by P4(x4, y4), i.e., when PI + PO = P3 and PI - PO = P4, 
then x3 can be determined speedily from XO , xl, x4 . In 
more concrete, it is reported that x3 can be determined 
by executing six times the prime field multiplication. 
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Further, in the case where the double point of PI is 
given by P5(x5, y5), x5 can be determined only from xl by 
performing multiplication five times. By taking advant- 
age of this feature, x-coordinate of scalar multiple 
5 (scalar value d) of the point R can be determined from Rx 
in the manner described below. 

Presuming that the initial value is [R, 2R] and 
that mR represents the x-coordinate of the point R 
multiplied by m, the scalar value d is exploded or 

10 developed to a bit string in the binary notation. Then, 
starting from the most significant bit of d, it is 
validated that [mR, (m+l)R] -> [2mR, 2(m+l)R] for the bit 
"0" of d, and [mR, (m+l)R] -» [(2m+l)R, 2(m+l)R] for the 
bit " 1 " of d, where (m+l)R - mR = R and (m+l)R + mR = 

15 (2m+l)R. 

In this manner, the scalar multiplication sP 
can be realized by performing the prime field multipli- 
cation (inclusive of squaring) ten times (6 +5) for each 
bit. Hereinafter, the procedure or algorithm described 

2 0 above will be referred to as the Montgomery method. 

On the other hand, the standard form of an 
elliptic curve on the finite field of characteristic 2 
(extension field of "2") is given by y 2 + xy = x 3 + ax 2 + b 
(b * 0). For such elliptic curve, the scalar multiplica- 

25 tion arithmetic can be realized through combination of 
the addition arithmetic and the doubling arithmetic . 
Rules for the addition arithmetic and the doubling 
arithmetic are set forth in IEEE: P1363/D2 "STANDARD 



O f 




- 7 - 



SPECIFICATION FOR PUBLIC KEY CRYPTOGRAPHY" (1998). By 
resorting to the arithmetic in the finite field of 
characteristic 2 (extension field of "2"), squaring and 
addition/subtraction can be realized very speedily when 
5 compared with mutually different multiplications. Thus, 
the computation overhead involved in the arithmetics in 
the finite field of characteristic 2 can be evaluated by 
the number of times the mutually different multiplica- 
tions are to be performed. The addition arithmetic 

10 requires execution of multiplication fifteen times while 
the doubling arithmetic requires execution of multiplica- 
tion five times. However, it should be noted that in the 
elliptic curve cryptography based on the finite field of 
characteristic 2, no arithmetic algorithm is known in 

15 which the Montgomery method is resorted to. 

For the elliptic curve which can ensure 
security, it is necessary to set parameters a and b which 
allow the order #E(Fq) of the elliptic curve to have a 
large prime factor r. In the case where the order #E(Fq) 

20 of the elliptic curve is given by kr, the prime factor r 
can assume a large prime number by selecting a small 
integer for k. As to the method of setting the para- 
meters of the elliptic curve having a large prime factor 
r as the order, reference may be made to Henri Cohen: "A 

25 COURSE IN COMPUTATIONAL ALGEBRAIC NUMBER THEORY", GTM138, 
Springer (1993) p. 464, Atkin's Test. 

Next, problems of cipher text attack and 
defense against the attack will be considered. In recent 
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years, trials for attacking the cipher text as well as 
the measures for defending the cipher text against the 
attacks have been studied. More specifically, as to the 
attack on the cipher text, there can be mentioned in 
5 addition to the classical or theoretical cryptanalysis a 
differential power analysis (DPA in short) which tries to 
decode or decrypt the cipher text by processing statis- 
tically waveform representing current consumption, a 
timing attack trying to decode by analyzing statistically 

10 differences in the cipher processing time and others 
which rely on the analyses of leak information. Of 
course, the measures for defending the cipher against 
such attacks have also been developed. However, most of 
the defense measures have been realized primarily by 

15 physically incorporating the defense function in hardware 
circuit itself destined, for example, for IC cards. 

The conventional elliptic curve cryptographies 
described above suffer problems mentioned below. As is 
apparent from the foregoing, in the elliptic curve 

20 cryptography in the finite field of characteristic 2, 
there is known no arithmetic in which the Montgomery 
method is adopted. Further, in the studies concerning 
the elliptic curve cryptographies, importance has been 
put primarily on the development of high-speed execution 

25 methods and generation of such elliptic curve which can 
ensure security as viewed from the standpoint of 
cryptanalysis. By contrast, no efforts have been paid to 
the development of defense technologies for defending the 
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ciphers against the attack of the leak information 
analysis type. In the data decryption processing of the 
elliptic curve cryptology, arithmetic operation for 
multiplying a point (x, y) on a given elliptic curve by 
5 the private key d, i.e., D(x, y) , is performed. In that 
case, deviation information of the private key d may 
possibly leak, being reflected in the consumed current 
waveform and the cipher processing time, which will give 
a clue to the differential power analysis (DPA) attack 
10 and the timing attack. 

SUMMARY OF THE INVENTION 

In the light of the state of the art described 
above, it is a first object of the present invention to 
provide an elliptic curve cryptography method which is 

15 capable of realizing at a high speed the elliptic curve 
cryptography in a finite field of characteristic 2 (or 
extension field of "2"), in which the elliptic curve is 
given by y 2 + xy = x 3 + ax 2 + b (b * 0) . 

With the present invention, it is also 

20 contemplated to provide an apparatus for carrying out the 
method mentioned above. 

A second object of the present invention is to 
provide an elliptic curve cryptography method which can 
prevent the private key information from leaking in the 

25 form of deviation information of the processing time to 
thereby defend the cipher text against the timing attack 
and the differential power analysis (DPA) attack in the 
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elliptic curve cryptography. 

A third object of the present invention is to 
provide a recording medium which stores the elliptic 
curve cryptography method in the form of a program or 
5 programs which can be executed with a computer. 

In view of the first object mentioned above, 
there is provided according to an aspect of the present 
invention a method of realizing an elliptic curve 
cryptography in a finite field of characteristic 2 

10 (extension field of "2"), in which the elliptic curve is 
given by y 2 + xy = x 3 + ax 2 + b (where b * 0) and in which 
addition of points Pl(xl, yl ) and P2(x2, y2 ) on the 
elliptic curve composed of points defined by individual 
coordinate components is presumed to be represented by 

15 P3(x3, y3) with subtraction of the points Pl(xl / yl) and 
P2(x2, y2) being presumed to be represented by P4(x4, 
y4 ) . The cryptography method includes a step of input- 
ting the coordinate component xl, a step of transforming 
the inputted coordinate component xl into X- and 

20 Z-coordinates [X 1# Z 1 ] of a projective space, a step of 

storing the coordinates [X 1f Z n ] of the projective space, 
a step of transforming the coordinate component x2 into 
coordinates [X 2 , Z 2 ] of the projective space, a step of 
storing the projective coordinate [X 2 , Z 2 ], a step of 

25 transforming the coordinate component x4 into coordinates 
[X A , Z 4 ] of the projective space, a step of storing the 
projective coordinates [X 4 , Z 4 ] , a step of determining 
projective coordinates [X 3 , Z 3 ] from the stored projective 
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coordinates [X 1# Z^] , [X 2/ Z 2 ] and [X 4 , Z 4 ] , a step of 
transforming the projective coordinates [X 3 , Z 3 ] into the 
coordinate component x3, and a step of outputting the 
coordinate component x3, whereby scalar multiplication of 
5 the point Pl(xl, yl) is determined. Further, in a 

preferred mode for carrying out the present invention, 
the aforementioned step of determining the projective 
coordinates [X 3/ Z 3 ] susceptible to the transformation 
into the coordinate component x3 from the stored 

10 projective coordinates [X 1f Z^, [X 2 , Z 2 ] and [X 4 , Z 4 ] may 
include a substep of computing B = X,,Z 2 2 + X 2 Z 1 2 , a substep 
of storing the computed B, a substep of deciding whether 
or not the stored B satisfies condition that B = 0, a 
substep of outputting a point at infinity when B = 0 

15 while arithmetically determining Z 3 = Z 4 B unless B = 0, a 
substep of storing the determined Z 3 , and a substep of 
arithmetically determining X 3 = X 4 B 2 + X 1 X 2 Z 1 2 Z 2 2 Z 4 2 from the 
stored Z 3 . 

Further, for achieving the second object 
20 mentioned previously, there is provided according to a 

second aspect of the present invention, an elliptic curve 
cryptography method which can positively prevent leakage 
of the private key information from the deviation 
information of the processing time in a decryption 
25 processing of an elliptical curve cipher in the finite 
field of characteristic 2. In other words, the present 
invention also provides a method of realizing an elliptic 
curve cryptography in a finite field of characteristic 2 
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(extension field of "2"), in which the elliptic curve is 
given by y 2 + xy = x 3 + ax 2 + b and in which addition of 
points Pl(xl, yl) and P2(x2, y2) on the elliptic curve 
composed of points defined by individual coordinate 
5 components is presumed to be represented by P3(x3, y3) 
with subtraction of the points Pl(xl, yl) and P2(x2, y2 ) 
being presumed to be represented by P4(x4, y4 ) f the 
method including a step of inputting the coordinate 
component xl, a step of trans forming the inputted 

10 coordinate component xl into X- and Z-coordinates [X 1f Z 1 ] 
of a projective space, a step of storing the coordinates 
[X 1/ Z 1 ] of the projective space, a step of transforming 
the coordinate component x2 into coordinates [X 2 , Z 2 ] of 
the projective space, a step of storing the projective 

15 coordinates [X 2 , Z 2 ] , a step of transforming the 

coordinate component x4 into coordinates [X 4 , Z 4 ] of the 
projective space, a step of storing the projective 
coordinates [X 4 , Z 4 ] , a step of determining projective 
coordinates [X 3 , Z 3 ] from the stored projective 

20 coordinates [X v Z 1 ] / [X 2 , Z 2 ] and [X 4 , Z 4 ], a step of 

transforming the projective coordinates [X 3 , Z 3 ] into the 
coordinate component x3, and a step of outputting the 
coordinate component x3, wherein the cryptography method 
further includes a step of generating a random number k, 

2 5 a step of storing the generated random number k, and a 

step of performing arithmetic operation on the individual 
coordinate components of the projective space and the 
stored random number k after the transformation of the x- 




-In- 



coordinate component to the projective coordinates, to 
thereby derive projective coordinates [k 2 x, k] . In other 
words, the method of varying constantly the object for 
the arithmetic in the finite field of characteristic 2 
5 (extension field of "2") is provided. 

In another preferred mode for carrying out the 
present invention, the elliptic curve cryptography method 
may include a step of generating a random number k, a 
step of storing the generated random number k, and a step 

10 of performing arithmetic operation on the individual 
coordinate components of the projective space and the 
stored random number k after the transformation of the x- 
coordinate component to the projective coordinates, to 
thereby derive projective coordinates [kx, k] . 

15 Further, for carrying out the elliptic curve 

cryptography methods described above, there is provided 
according to another aspect of the present invention, an 
arithmetic apparatus for realizing an elliptic curve 
cryptography in a finite field of characteristic 2 

20 (extension field of "2"), in which the elliptic curve is 

given by y 2 + xy = x 3 + ax 2 + b, which apparatus includes a 
random number generation module for generating a random 
number k, a projective coordinate transformation which 
module receiving as inputs thereto the coordinate xO in 

25 the finite field of characteristic 2 and the random 
number k to thereby transform the coordinate xO into 
projective coordinates [kxO, k] = [X 1# Z,,], a doubling 
arithmetic module for arithmetically determining a double 
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point from the projective coordinates [X 1 , Z 1 ], an 
addition arithmetic module for determining an addition 
point from the projective coordinate [X 1# Z.,] to output 
the addition point , and a scalar multiplication module 
5 which receives as inputs thereto information from the 
/ projective coordinate transformation module, the doubling 

arithmetic module and the addition arithmetic module to 
thereby determine scalar multiplication of the coordinate 
component xO . 

J;i 10 Furthermore, in view of the third object 

m mentioned previously, there is provided according to a 

further aspect of the present invention a recording 
jfj medium which stores therein a cryptography method of 

realizing an elliptic curve cryptography in a finite 
?=J 15 field of characteristic 2 (extension field of "2"), in 

£ ;-l which the elliptic curve is given by y 2 + xy = x 3 + ax 2 + b 

%J and in which addition of points Pl(xl, yl) and P2(x2, y2 ) 

on the elliptic curve composed of points defined by 
individual coordinate components is presumed to be repre- 
20 sented by P3(x3, y3 ) with subtraction of the points 

Pl(xl, yl) and P2(x2, y2 ) being presumed to be represent- 
ed by P4(x4, y4 ) , the program comprising a step of 
inputting the coordinate component xl, a step of trans- 
forming the inputted coordinate component xl into X- and 
25 Z-coordinates [X 1# Z 1 ] of a projective space, a step of 

storing the coordinates [X 1f 2^] of the projective space, 
a step of transforming the coordinate component x2 into 
coordinates [X 2 , Z 2 ] of the projective space, a step of 
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storing the projective coordinates [X 2 , Z 2 ] , a step of 
transforming the coordinate component x4 into coordinates 
C X 4/ of the projective space, a step of storing the 

projective coordinates [X 4 , Z 4 ], a step of determining 
5 projective coordinates [X 3/ Z 3 ] from the stored projective 
coordinates [X 1f Z^] , [X 2 , Z 2 ] and [X 4 , Z 4 ] , a step of 
transforming the projective coordinates [X 3 , Z 3 ] into the 
coordinate component x3, and a step of outputting the 
coordinate component x3, whereby scalar multiplication of 

10 the point Pl(xl, yl) is determined. 

The method of realizing the elliptic curve 
cryptography in the finite field of characteristic 2 
mentioned previously can effectively be employed as the 
measures for preventing leakage of the private key 

15 information from the deviation information of the 

processing time for decrypting an elliptic curve cipher 
text on a prime field. To this end, according to still 
further aspect of the present invention, there may be 
adopted a combination of the arithmetics (a) and (b) 

20 mentioned below. 

(a) In the case where the standard form of an 
elliptic curve in a prime field is given by By 2 - x 3 + Ax 2 
+ Bx, the scalar multiplication algorithm according to 
the Montgomery method is adopted for determining the 

25 scalar multiplication d(x, y) of the elliptic curve. 

(b) In conjunction with computation for scalar 
multiplication d(x, y) , a random number k is generated 
upon transformation of the affine coordinates (x, y) into 
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the projective coordinates for thereby effectuate the 
transformation (x, y) -» [kx, ky, k] or (x, y) -> [k 2 x, 
k 3 y, k]. 

By virtue of the method mentioned above, the 
5 object for arithmetic in the prime field can constantly 
be varied by the random number. 

Other objects, features and advantages of the 
present invention will become apparent from the following 
detailed description of the preferred or exemplary 
10 embodiments taken in conjunction with the accompanying 
drawings . 



BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, 
reference is made to the drawings, in which: 
15 Fig. 1 is a functional block diagram for 

illustrating processing flows in an elliptic curve 
cryptograph system according to an embodiment of the 
present invention ; 

Fig. 2 is a flow chart for illustrating a part 
20 of a scalar multiplication procedure adopted in the 
elliptic curve cryptography according to a first 
embodiment of the present invention; 

Fig. 3 is a flow chart for illustrating the 
other part of the scalar multiplication procedure 
25 mentioned just above; 

Fig. 4 is a flow chart for illustrating an 
addition procedure adopted in the elliptic curve 
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cryptography according to the first embodiment of the 
present invention ; 

Fig. 5 is a flow chart for illustrating a 
doubling arithmetic procedure adopted in the elliptic 
5 curve cryptography according to the first embodiment of 
the present invention; 

Fig. 6 is a flow chart for illustrating a part 
of a scalar multiplication procedure in the elliptic 
curve cryptography according to a second embodiment of 
10 the present invention; 

Fig. 7 is a flow chart for illustrating the 
other part of the procedure mentioned just above; 

Fig. 8 is a flow chart for illustrating an 
addition procedure in the elliptic curve cryptography 
15 according to the second embodiment of the invention; 

Fig. 9 is a functional block diagram showing 
schematically a structure of the elliptic curve 
arithmetic unit of the elliptic curve cryptograph 
apparatus according to a sixth embodiment of the present 
20 invention; 

Fig. 10 is a block diagram showing a general 
configuration of an elliptic curve cryptograph system to 
which the present invention can be applied; 

Fig. 11A is a flow chart for illustrating a 
25 part of a scalar multiplication procedure in which 
Montgomery method is adopted according to a third 
embodiment of the present invention; 

Fig. 11B is a flow chart for illustrating the 
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other part of the scalar multiplication procedure 
mentioned just above; 

Fig. 12A is flow chart for illustrating a part 
of a scalar multiplication procedure according to a 
5 fourth embodiment of the present invention; 

Fig. 12B is flow chart for illustrating the 
other part of the scalar multiplication procedure 
mentioned just above; 

Fig. 13 is a flow chart for illustrating an 
10 addition procedure according to the fourth embodiment of 
the present invention; 

Fig. 14 is a flow chart for illustrating a 
doubling method according to the fourth embodiment of the 
invention; 

15 Figs. 15A and 15B are a flow chart for 

illustrating a scalar multiplication procedure according 
to a fifth embodiment of the present invention; 

Fig. 16 is a flow chart for illustrating an 
addition procedure according to the fifth embodiment of 

2 0 the present invention. 



DESCRIPTION OF THE EMBODIMENTS 

Now, the present invention will be described in 
detail in conjunction with what is presently considered 
as preferred or typical embodiments thereof by reference 
2 5 to the drawings. 

General description 

First mentioned below are arithmetic algorithm 
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or rules for an elliptic curve of the standard form y 2 + 
xy = x 3 + ax 2 + b (b * 0) in a finite field of 
characteristic 2 of the affine coordinate system. 



1) 0 + 0 = 0 
5 2) (x, y) + 0 = (x f y) 

3) (x, y) + (x, x + y) = 0 

4 ) Commutativity 

(xO, yO) + (xl, yl) = (xl, yl) + (xO, yO) 

5) Addition arithmetic 

10 (x2, y2) = (xl, yl) + (xO, yO ) 

x2 = a + A 2 + X + xO + xl; y2 = A.(xl + x2 ) + x2 + yl; 
X = (yO + yl) / (xO + xl) 

6) Doubling arithmetic 

(x2, y2) = (xl, yl) + (xl, yl) = 2(xl, yl) 
15 x2 = a + X 2 + X; y2 = A(xl + x2 ) + x2 + yl; X = xl + 

(yl/xl) or x2 = (xl) 2 + b/(xl) 2 



In order to facilitate the computation for the elliptic 
curve such as mentioned above, points (X, Y) on the 
elliptic curve in the affine coordinate system may be 

20 transformed to the points expressed in terms of the 

projective coordinates. At this juncture, let's suppose 
such projective coordinate system in which [X, Y, Z] = 
[X 2 X, A 3 Y, XZ] applies valid for a given X + 0 . Then, 
correspondence can be established between the affine 

25 coordinates and the projective coordinates as mentioned 
below. Namely, the affine coordinates (x, y) can be 
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expressed by the projective coordinates [x, y, 1] while 
the projective coordinates [X, Y, Z] can be expressed by 
the affine coordinates (X/(Z) 2 , Y/(Z) 3 ). Further, in the 
projective coordinate system, it applies valid that -[X, 
5 Y, Z] = [X, XZ+Y, Z]. 



invention will be described by reference to the drawings. 



configuration of an elliptic curve encryption system to 

10 which the present invention can be applied. Referring to 
the figure, reference numeral 1001 denotes an 
input /output interface for an input device such as a 
keyboard and/or the like for inputting plain texts to be 
encrypted and for an output device such a display, a 

15 printer and/or the like for outputting plain texts 
resulting from descryption. The interface 1001 may 
include a storage unit such as a memory or the like for 
storing the plain text. For encrypting the plain text as 
inputted through the input/output interface, there is 

20 provided an encrypting module 1002 which is so designed 
as to receive as the inputs thereto an elliptic curve 
generated by an elliptic curve generating module 1003 and 
keys from a public key/private key generating module 
1004, At this juncture, it is to be mentioned that the 

25 public key and the encryption key are combined in a pair, 
wherein which of these keys is to be made available for 
the encrypting module 1002 or the decrypting module 1006 
depends on the practical application for which the 



Now, the concept underlying the present 



Figure 10 is a block diagram showing a general 



# 
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cryptography system is employed, i.e., whether the 
cryptography system is employed, for example, for the 
privacy communication or for the signature/authentication 
communication. The cipher text resulting from the 
5 encryption is sent out through the medium of an inter- 
connection interface 1005. The decrypting module 1006 is 
designed to decrypt the cipher text into a plain text. 



illustrating processing flows in an elliptic curve 

10 encryption system according to an embodiment of the 

present invention. Incidentally, it should be mentioned 
that the elliptic curve encryption system according to 
the present invention may be provided in the form of 
software programmed for executing the elliptic curve 

15 cryptography. In that case, the software may be 

installed in an appropriate information processing 
apparatus from a recording medium such as a CD-ROM, FD or 
the like. Referring to Fig. 1, the elliptic curve used 
for the elliptic curve cryptography is generated by the 

2 0 elliptic curve generating module designated by 101 in 
this figure. The elliptic curve generated by the 
elliptic curve generating module 101 is inputted to the 
public key/private key generating module 102 which 
responds thereto by generating a public key 115 and a 

25 private key 116 on the basis of the elliptic curve as 

inputted. The encrypting module 103 receives as inputs 
thereto data of the plain text 113, the public key 115 
and the elliptic curve to thereby output a cipher text 



Figure 1 is a functional block diagram for 
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112. On the other hand, the decrypting module 104 is 
designed to receive as inputs thereto the cipher text 
112, the private key 116 and the elliptic curve to 
thereby output a plain text 114. Needless to say, the 
5 plain text 114 outputted from the decrypting module 104 
is same as the plain text 113 mentioned previously. 

The elliptic curve generating module 101 is 
designed to generate the elliptic curve in accordance 
with a processing procedure described below. Through a 

10 primitive polynomial setting process or submodule 105, a 
primitive polynomial f(x) in a prime field F 2 is set. 
Such primitive polynomial in the prime field F 2 is 
described, for example, in A. Menezes, P. Oorschot and 
S. Vanstone: "HANDBOOK OF APPLIED CRYPTOGRAPHY", CRC 

15 Press, Section 4.5.3 Primitive Polynomials (1996). 

In an elliptic curve parameter setting step or 
submodule 106, parameters a and b for the elliptic curve 
y 2 + xy = x 3 + ax 2 + b defined on the basis of a finite 
field Fq of characteristic 2 (which may also be referred 

20 to as the extension field of "2") are set. For the 

elliptic curve which can ensure security, it is necessary 
that the order #E ( Fq) of the elliptic curve has a large 
prime factor r. In the case where #E ( Fq) = kr applies 
valid, the prime factor r can assume a large prime number 

25 by selecting a small integer for k. Parenthetically, 
concerning the method of generating an elliptic curve 
having a large prime factor r as the order, reference may 
be made to Henri Cohen: "A COURSE IN COMPUTATIONAL 



ALGEBRAIC NUMBER THEORY", GTM138, Springer (1993) p. 464, 
Atkin's Test. At this juncture, it should however be 
mentioned that the elliptic-curve primitive polynomial 
setting method can equally be realized by resorting to 
other elliptic curve the order of which has a large prime 
factor . 

A base point generating submodule 107 is 
designed to determine a generator of a cycling subgroup 
having the prime factor r mentioned above as the order in 
the Abelian group on the elliptic curve. By way of 
example, in the case where #E(Fq) = kr applies valid, a 
given point (xl, yl) on the elliptic curve E(Fq) in the 
finite field of characteristic 2 is determined in a first 
step. Subsequently, in a second step, G = (xl, yl) is 
set as the base point on the conditions that r(xl, 
yl) =0 and when k(xl, yl) * 0. Otherwise, the first 
step mentioned just above is resumed. 

At this juncture, it is to be noted that the 
expression r(xl, yl) means execution of the scalar 
multiplication (multiplication by r or r-multiplication) 
for the point (xl, yl). Incidentally, the arithmetic for 
the scalar multiplication (r-multiplication) will be 
elucidated later on in conjunction with the elliptic 
curve arithmetic submodule 109. 

Through the procedure described above, the 
primitive polynomial f(x), the parameters a and b of the 
elliptic curve y 2 + xy = x 3 + ax 2 + b, the base point G and 
the order r of the base point have been generated which 




- 24 - 



are the information destined to be laid open for the 
general public. 

The public key/private key generating module 
102 is designed to generate the public key and the 
5 private key in accordance with the procedure described 
below. On the presumption that the primitive polynomial 
f(x), the parameters a and b of the elliptic curve y 2 + xy 
- x 3 + ax 2 + b and the base point G are inputted to the 
public key/private key generating module 102 and that a 

10 public key Q and a private key d are output ted there from , 
a random number which satisfies the condition that 2 < d 
< r-1 is generated in a first step, whereon the public 
key Q = dG, i.e., a scalar multiplication (d- 
multiplication ) of the base point G is determined. 

15 The public key is the information to be laid 

open to the general public while the private key 
represents the information to be secreted. The problem 
of determining the private key d on the basis of the 
public key Q and the base point G is what is known as the 

20 discrete logarithm problem and requires for the solution 
thereof such an amount of computation which is on the 
exponential order of bit-length of the base point on the 
elliptic curve. Consequently, in case the order r is a 
large prime number, e.g. when the prime factor r is 

25 greater than the 159-th power of "2", it is the impos- 
sible in practice to determine the private key d from the 
public key Q and the base point G. This is the principle 
underlying the elliptic curve cryptography. In this 
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conjunction, the method of arithmetically determining the 
public key Q is known in the art, as disclosed, for 
example, in D.V. Chudnovsky and G.V. Chudnovsky: 
"SEQUENCES OF NUMBERS GENERATED BY ADDITION IN FORMAL 
5 GROUPS AND NEW PRIMALITY AND FACTORIZATION TESTS", 
Advances in Applied Mathematics, 7. 385-434, 1986. 

In the encrypting module 103, the plain text 
113 is translated to the cipher text 112 in accordance 
with the procedure which will be described below. On the 

10 presumption that a plain text M, the public key Q, the 
primitive polynomial f(x), the parameter b of the 
elliptic curve y 2 + xy = x 3 + ax 2 + b and the base point G 
are inputted to the encrypting module 103 and that a 
cipher text C is outputted therefrom, a random number k 

15 is generated in a first step by the random number 

generating submodule 108, whereon in the second step, the 
base point G and the random number k generated in the 
first step undergo arithmetic operation for determining 
kG, i.e., (kxl, kyl), in the elliptic curve arithmetic 

20 submodule 109. In a third step, the public key Q and the 
random number k generated in the first step undergo 
arithmetic operation for determining kQ, i.e., (kx2, ky2 ) 
in the elliptic curve arithmetic submodule 109. In a 
fourth step, arithmetic operation M xor x2 is executed in 

2 5 the data encryption processing submodule 110, the result 
of which is set as M' . In a fifth step, arithmetic 
operation xl || yl || M' is executed, as a result of which 
the cipher text C is outputted from the data encryption 
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submodule 110. 

The elliptic curve arithmetic submodule 109 is 
designed to execute a scalar multiplication (kR) 
arithmetic for a given point R to thereby determine the 
5 x-coordinate. Owing to such arrangement, the private key 
information can be protected against leakage from 
deviation (difference) information of the processing time 
or period for the decryption of the elliptic curve cipher 
text in the finite field of characteristic 2. In the 
10 following, the scalar multiplication method will be 
elucidated* 

Scalar multiplication method according to first 
embodiment 

Figure 2 and 3 in combination illustrate in a 
15 flow chart the scalar multiplication method according to 
a first embodiment of the present invention. 

Et. is presumed that a projective coordinate 
component X Q o*f the x-coordinate of a given point R and a 
scalar value m are inputted and that a projective 
20 coordinate component\X of the x-coordinate of a point 

corresponding to m-mult5sple of R is to be outputted. On 
this assumption, the scalak value m and the projective 
coordinate component X 0 of theyx-coordinate are inputted 
(step 202). In the succeeding steps 203 to 205, data 
25 stirring is performed by multiplying* the individual 
projective coordinates by the random rubber. More 
specifically, the random number k is generated in the 
step 203, whereon k 2 X 0 is arithmetically deterih^Tied by 
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multiplying the projective coordinate component X 0 by the 
random number k and assigned to X 1 in the step 204 while 
the Vandom number k itself is assigned to Z 1 in the step 
205. \ln succeeding steps 206 to 208 and 301, preparation 
5 is made\for the scalar multiplication. In more concrete, 
[X 1 , Z 1 ] iss assigned to [X 4 , Z 4 ] in the step 206, being 
followed bythe step 206 where [X 1# Z 1 ] is inputted to the 
doubling process (illustrated in Fig. 5), the output of 
which is then ^assigned to [X 2 , Z 2 ] in the step 207. 

10 Further, in a s^ep 208, the scalar value m is transformed 
to a binary bit sVring h i h._ 1 ...h 0 , where the most 
significant bit h n Ys "1" and thus "1" is assigned to i in 
a step 301 shown in Vig. 3. Through processing steps 302 
to 309 (see Fig. 3), tthe addition method and the doubling 

15 method are controlled iii dependence on whether one bit of 
the scalar value m is "0'\ or "1" to thereby realize the 
scalar multiplication. Moire specifically, "i-1" is 
assigned to jL in the step 302, which is followed by the 
step 303 where [X 1f Z 1 ] , [X 2 , 2U] and [X 4 , Z 4 ] are inputted 

20 to the addition process (illustrated in Fig. 4), the 

output of which is assigned to [V 3 / Z 3 ] in the step 303. 
At this juncture, when h i — 0 (i\e., when the step 304 
results in affirmation "Yes"), the\ processing proceeds to 
the step 305 while it proceeds to tlae step 307 when 

25 h i — 1, i.e., when the decision steo 304 results in 

negation "No". In the step 305, [X 1 ,\z 1 ] is inputted to 
the doubling arithmetic or process (Fin. 5), the output 
from which is assigned to [X 1f Z 1 ] . In Vhe step 306, [X 3 , 
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is assigned to [X 2 , Z 2 ], whereon the processing 
pro<^eds to the step 309. On the other hand, when the 
decision step 304 results in "No", [X 2 , Z 2 ] is inputted to 
the doubliHg arithmetic or process illustrated in Fig. 5, 
the output of\^hich is assigned to [X 2 , Z 2 ] (step 307). 
In the step 308, \X 3/ Z 3 ] is assigned to [X 1 , Z 1 ] , 
whereupon the processing proceeds to the step 309. In 
the case where i > 0, xs* e . , the step 309 results in 
"Yes", when the step 302 jss resumed. If otherwise, i.e., 
10 when the decision step 309 results in "No", the proces- 
sing proceeds to a step 310. Subsequently, the projec- 
tive coordinates are transformed \o the x-coordinate of 
the (x, y) coordinate system. Finally, X 1 /(Z 1 ) 2 is 
assigned to the projective coordinateVomponent X m (step 
15 310) to be ultimately outputted (step 3^1). 

Next, description will be directed to the 
addition method or arithmetic. It is presumed that as 
the projective space coordinates of a point on the 
elliptic curve, it applies valid that [X, Y, Z] = [A 2 x, 
20 X 3 Y, XZ] for a given X * 0 . At this juncture, let's 

consider the points P0 = (xO, yO) = [X Q , Y 0 , Z 0 ] and PI = 
(xl, yl) = [X 1f Y ir Z^] as the points on the elliptic 
curve. Additionally, it is presumed that the sum of the 
points P0 and PI and the difference therebetween are 
25 given by P3 = (x3, y3 ) = [X 3 , Y 3 , Z 3 ] and P4 = (x4, y4 ) = 
[X 4 , Y 4 , ZJ, respectively. 

Expressing mathematically, 
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PI + PO = P3, 
PI - PO = P4, 

x3 = a + (A 3 ) 2 + k 3 + xO + xl; A 3 = (yO + yl)/(xO 

+ xl), 

5 x4 = a + (AJ 2 + A 4 + xO + xl; A 4 = (xO + yO + 

yl)/(xO + xl) , 

A 3 + A 4 = (xO) / (xO + xl), 
(A3) 2 + (A 4 ) 2 = (xO) 2 / (xO + xl) 2 , and 
x3 + x4 = ((xO) 2 + (xO)(xO + xl)) / (xO + xl) 2 
10 = (xO xl) / (xO + xl) 2 . 

From the above, the following relation can be derived. 

x3 + x4 = (xO xl) / (xO + xl) 2 ... (1) 

Subsequently, relations in the projective 
coordinate system are derived. 
15 Replacing "xl" and "xO" in the expression (1) 

by "xl = X^/(Z^) 2n and "xO = X Q /(Z 0 ) 2 " , respectively, then 

X 3 /(Z 3 ) 2 = X A /(Z A ) 2 + ((X Q /(Z 0 ) 2 )(X 1 /(Z 1 ) 2 ))/(X 0 /(Z 0 ) 2 + 
VfZ,) 2 ) 2 

= X 4 /(Z 4 ) 2 + ((X 0 (Z 0 ) 2 )(X 1 (Z 1 ) 2 ))/(X Q (Z 1 ) 2 + X^Zo) 2 ) 2 
20 - <(X 4 /3 2 ) + Z 4 2 (X 0 Z 0 2 )(X 1 Z 1 2 ))/(Z 4 2 /3 2 ) 

where £ = X 0 Z,, 2 + ^Zq 2 . 

From the above expression, there can be 

derived: 

X 3 = X 4 0 2 + Z 4 2 (X Q Z, 2 )(X,Z 0 2 ) ... (2) 

25 Z 3 = Z 4 P ... (3) 
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On the presumption that mR = [X 1f Y 1f Z 1 ] , (m 
+ 1)R = [X 2 , Y 2 , Z 2 ], R = [X A , Y,, ZJ and (2m + 1)R = [X 3 , 
Y 3 , Z 3 ], the addition arithmetic will be elucidated below. 
Addition method according to first embodiment 
5 lTigure 4 is a flow chart for illustrating the 

addition method according to the first embodiment of the 
present invention. The projective coordinates [X 1# . Z,,], 
[X 2 , Z 2 ] and [x\, Z 4 ] are inputted, whereby coordinates 
[X 3 , Z 3 ] or a poivjit at infinity is outputted. Thus, the 
10 projective coordinates [X 1f Z^] , [X 2 , Z 2 ] and [X 4 , Z A ] are 
inputted in a step ^402. Through processings in steps 403 
to 407, X 1 (Z 2 ) 2 + X 2 (Z^ 2 is determined for making decision 
whether or not the resillt of the addition arithmetic 
represents the point at Ynfinity. Interim results S 1# S 2 
15 and B provide preparation >f or the realization of the 

expressions (2) and (3) menisJ_oned above. More specifi- 
cally, X^(Z 2 ) 2 is assigned to SL, in the step 403 and 
X 2 (Z 1 ) 2 is assigned to S 2 in theXstep 404 whereupon S 1 + S 2 
is assigned to B in the step 405\ When B == 0 in the 
20 step 406 (i.e., when the decision \step 406 results in 
"Yes"), the processing proceeds to Vhe step 407. If 
otherwise (i.e., when the decision iri the step 406 
results in "No"), the processing proceeds to the step 
408. In the step 407, the point at infinity is 
25 outputted, whereon the processing comes to an end (step 
413). Through the processing steps 408 to\411 executed 
when the decision step 4 06 results in "No" ,\the 
coordinates [X 3 , Z 3 ] are determined in accordance with the 
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expressions (2) and (3) mentioned hereinbefore. In more 
concrete, Z 4 B is assigned to Z 3 in the step 408 and 
(Z 4 ) 2 S^S 2 is assigned to S in the step 409 with X 4 B 2 being 
assigneck to M in the 410, whereupon M + S is assigned to 
5 X 3 in the Vtep 411, and [X 3 , Z 3 ] is outputted in the step 
412. Through the procedure described above, the addition 
arithmetic cambe realized by sextuple multiplications of 
the mutually different variables. In other words, X 3 can 
be arithmetically\determined from X 1# X 2 and X 4 at a high 
10 speed. 

Next, description will turn to the doubling 
method. Let's represent a double point of the point PI 
by P2 and presume that PI = (xl, yl) = [X 1f Y 1f Z^, and 
that P2 = (x2, y2) = [X 2 , Y 2 , Z 2 ] . The doubling expression 
15 is given by x2 = (xl) 2 + b/(xl) 2 . Accordingly, by placing 
xl = X 1 /(Z 1 ) 2 and x2 = X 2 /(Z 2 ) 2 in the doubling expression 
as follows, 

X 2 /(Z 2 ) 2 = (X,/(Z,) 2 ) 2 + h/(X,/(Z,) 2 ) 2 
= X 2 /(Z^ + (b(Z 1 ) 4 )/(X 1 ) 2 
20 = (X/ + b(Z,)*)/(X 2 zS) 

there can be derived the following relations. 

X 2 = X/ + bZ^ ... (4) 

Z 2 = X,Z 2 ... (5) 

The doubling method based on the expressions 
25 mentioned above will be described. 

Doubling method according to first embodiment 

Figurfe 5 is as flow chart for illustrating the 
doubling method laccording to the first embodiment of the 



i^a< 
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\present invention. Referring to the figure, it is 
presumed that Q = [X 1# ] and b are inputted, whereby 
2Q V [X 2 , Z 2 ] or alternatively the point at infinity is to 
be outputted. In a step 502, X 1 and Z n are inputted. In 
5 the succeeding steps 503 and 504, decision is made 

whether tar not X 1 == 0 or Z 1 == 0 is valid in order to 
make decisaon as to whether the doubling arithmetic 
results in \he point at infinity. Namely, when X n == 0 or 
Z n == 0 in the^ step 503 (i.e., when the decision step 503 
10 results in "YesSM , the processing proceeds to the step 

504. If otherwise (i.e., when the decision step 503 
results in "No"), tthe processing proceeds to a step 505. 
In the step 504, thexpoint at infinity is outputted. In 
the succeeding steps 5li5 to 507, the coordinates [X 2 , Z 2 ] 

15 are determined in accordance with expressions (4) and (5) 
mentioned previously. More specifically, in the step 

505, Z 1 2 is assigned to S. \n the step 506, X^S is 
assigned to Z 2 . In the step 5l07, + b(S) 4 is assigned 
to X 2 (step 507). In the stepN308, the coordinates [X 2 , 

20 Z 2 ] are outputted. Through the procedure described above, 
the addition arithmetic can be realized by executing 
twice the multiplication of mutually different variables. 
Accordingly, in the scalar multiplication method, the 
addition arithmetic can be realized byi executing 

25 (6 + 2 = 8) -times the multiplication oft mutually 

different variables per bit of the scalar value d. In 
other words, the projective coordinate xAcan be 
arithmetically determined very speedily from X 1f X 2 and X A . 
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Now turning back to Fig- 1, the decrypting 
module 104 is designed to transform the cipher text 112 
into the original plain text 114 through the procedure 
described below. Of course, the cipher text 112 and the 
5 plain text 114 are same with regard to the content. On 
the presumption that the cipher text C «- xl||yl||M', 
private key d, primitive polynomial f(x), parameter b of 
the elliptic curve y 2 + xy = x 3 + ax 2 + b and the base 
point G are inputted, whereby the plain text M is 
10 outputted, the following steps are executed. 

step 1: (x2, y2 ) «- d(xl, yl) (by the data 

decryption processing submodule 111) 
step 2: plain text M <- M' xor x2 
The step 1 can be executed in accordance with 
15 the procedure described hereinbefore by reference to 
Figs. 2 and 3. 

Through the procedure described above, 
determination of the x-coordinate equivalent to the 
scalar (d) multiplication of given coordinates (x, y) can 
20 be realized by executing eight-tuple mutually different 
multiplication processings for each bit of d independent 
of the bit pattern thereof. Furthermore, by setting for 
the given x-coordinate of d as the initial value for the 
scalar multiplications [kx 2 , k] where k represents a 
25 random number, object for the arithmetic can constantly 
be varied. Additionally, owing to combination of the 
procedures described in the foregoing, no bit pattern of 
d can make appearance in the deviation (difference) of 
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the d(x, y) -processing time, which in turn means that any 
private key information can be protected against leakage 
in terms of the deviation information of the d(x, y)- 
processing time. In addition, this feature indicates 
that in the DPA (Differential Power Analysis) for 
realizing the cryptanalysis by making use of deviations 
of current, voltage, electric power for the encryption 
processing as well, the private key information is 
protected against leakage in terms of the deviation 
information of the current, voltage or electric power for 
the d(x, y) processing. 

Next, description will be made of a second 
embodiment of the invention which can further speed up 
the arithmetic operations involved in the elliptic curve 
cryptography when compared with the first embodiment 
described above. Representing the coordinate transforma- 
tion from the affine coordinates to the projective 
coordinates by (x, y) -> [x, y, 1], it can apply valid 
that Z A = 1 . By placing Z 4 = 1 in the expressions (2) and 
(3), there can be derived the following expressions: 

X 3 = (X A P 2 ) + (X 0 (Z 1 ) 2 )(X 0 (Z 1 ) 2 ) ... (6) 



(7) 



By making use of the above expressions, the 
scalar multiplication method and the addition method can 
be carried out in the manners described below. 
Scalar multiplication method according to second 
embodiment 



Figures 6 a 



iUd 7 



in combination illustrate in a 
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flow chart , a processing procedure for the scalar 
multiplication method according to the second embodiment 
of the. present invention. It is presumed that a projec- 
tive coordinate component X 0 of the x-coordinate of a 
5 given portit R and a scalar value m are inputted for 

thereby outtputting a projective coordinate component X m of 
the x-coordinate of a point corresponding to m-multipli- 
cation or m-tuVle of R. To this end, the scalar value m 
and the projective coordinate component X Q of the 

10 x-coordinate are inputted in the step 602. In the 

succeeding steps 603\and 604, transformation of X 0 to the 
projective coordinate \is performed. More specifically, 
in the step 603, X 0 is assigned to X 1 . In the step 604, 
"1" is assigned to Z 1 . Iri the processing steps 605 to 

15 607, preparation is made for the scalar multiplication. 

In more concrete, coordinates [X 1# Z^] are assigned to [X 4 , 
Z 4 ] in the step 605 to thereby\ allow [X 1f Z n ] to be 
inputted to the doubling arithmetic (Fig. 5), the output 
of which is assigned to [X 2 , Z 2 ] the step 606. In the 

20 step 607, h i h i _ 1 ...h Q are set as the\binary bit string 
representing the scalar value m, in yhich the most 
significant bit Iv, is "1", and thus " jk M is assigned to i 
in a step 701 shown in Fig. 7. In the\succeeding 
processing steps 702 to 709, the addition method and the 

25 doubling method are controlled in dependence on whether 
one bit of the scalar value m is 0 or "K to thereby 
determine the scalar multiplication. More \specif ically , 
in the step 702, "i-l" is assigned to i whiAe in the step 
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703, Z 1 ], [X 2 , Z 2 ] and X 0 are inputted to the addition 

method fFig. 8), the output of which is assigned to [X 3 , 
Z 3 ] . When h i == 0 (i.e., when the decision step 704 
results in\af f irmation "Yes"), the processing proceeds to 
the step 703^ while it proceeds to the step 707 when 
h i == 1, i.e.\ when the decision step 704 results in 
negation "No" A In the step 705, [X 1# Z A ] is inputted to 
the doubling method (Fig. 5), the output from which is 
assigned to [X 1 ,\z 1 ]. In the succeeding step 706, [X 3 , Z 3 ] 
10 is assigned to [x^, Z 2 ], whereupon the processing proceeds 
to the step 709. \On the other hand, in the step 7 07, [X 2 , 
Z 2 ] is inputted to \the doubling method (Fig. 5), the 
output of which is \assigned to [X 2 , Z 2 ] . In the succeed- 
ing step 708, [X 3 , 2u] is assigned to [X,,, Z 1 ] , whereupon 
15 the processing proceeds to the decision step 709. In 

case the decision step 709 results in that i > 0 (i.e., 
when the step 709 results in "Yes"), the step 702 is 
resumed. On the othen hand, when i < 0, i.e., when the 
decision step 709 results in "No", the processing 
20 proceeds to the step lio where X 1 /(Z 1 ) 2 is assigned to the 
projective coordinate component X m to be ultimately 
outputted . 

Addition method according to second embodiment 

Figure 8 is a flow chart for illustrating the 
25 addition method! according to the second embodiment of the 
invention. It is presumed that the projective 
coordinates [X^IZ^, [X 2 , Z 2 ] and [X A , Z 4 ] are inputted and 
that [X 3 , Z 3 ] or \he point at infinity is to be outputted. 
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Thus, the projective coordinates [X v Z 1 ] , [X 2 , Z 2 ] and 
[a^/ Z 4l are inputted in a step 802. Through the proces- 
sings in subsequent steps 803 to 807 , X 1 (Z 2 ) 2 + X 2 (Z 1 ) 2 is 
computed for making decision whether or not the result of 
5 the addition represents the point at infinity. Interim 
results S 2 and B provide preparation for realization 

of the expressions (6) and (7) mentioned previously. 
More specifically, X 1 (Z 2 ) 2 is assigned to S 1 in the step 
803. In the TBtep 804, X 2 (Z 1 ) 2 is assigned to S 2 . in the 

10 step 805, S n +\s 2 is assigned to B. When it is decided 
that B == 0 in nhe step 806 (i.e., when decision in the 
step 806 results \in "Yes"), the processing proceeds to 
the step 807. If ^otherwise (i.e., when the decision in 
the step 806 results in M No ) , the processing proceeds to 

15 the step 808. In thfc step 807, the point at infinity is 
outputted, whereon the processing proceeds to the step 
813. Through the processing steps 808 to 811, the 
projective coordinates tac 3 , Z 3 ] are determined in 
accordance with the expressions (6) and (7) mentioned 

20 hereinbefore. In more concrete, B is assigned to Z 3 in 

the step 808. In the step\ 809, S^S 2 is assigned to S . In 
the step 810, X 4 Z 3 2 is assigned to M. In the step 811, 
M + S is assigned to X 3 . Fiyially, in the step 812, [X 3 , 
Z 3 ] is outputted. \ 

25 Through the procedure described above, the 

addition arithmetic can be realized by executing four 
times the multiplication of mutually different variables. 
Thus, it is apparent understood that with the addition 
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arithmetic or method according to the second embodiment 
of the invention, the number of times the multiplication 
is required to be executed can be decreased when compared 
with the addition method according to the first 
5 embodiment of the invention described hereinbefore. 
Parenthetically, it should be added that the doubling 
arithmetic according to the second embodiment of the 
invention can be realized by making use of the doubling 
method according to the first embodiment of the 
10 invention* 



information against leakage in terms of the deviation 
information of the processing time as described 
hereinbefore can also be carried out with the elliptic 
15 curve in a prime field in addition to the elliptic curve 
in the finite field of characteristic 2 (extension field 
of "2". 



embodiment of the present invention which is directed to 
20 a method of preventing leakage of the private key infor- 
mation from the deviation information of the processing 
time by adopting the Montgomery method on the presumption 
that the elliptic curve in the prime field is represented 
by By 2 = x 3 + Ax 2 + Bx. 
25 As is disclosed in P. Montgomery: "SPEEDING THE 

POLLARD AND ELLIPTIC CURVE METHODS OF FACTOR I Z AT ION " , 
Mathematics of Computation Vol. 48, No. 177, pp. 243-264 
(1987), presuming that the addition of points P0(x0, yO) 



The method of protects the private key 



Next, description will be made of a third 




- 39 - 



and Pl(xl, yl) and the substraction therebetween are 
given by: 

P3 (x3, y3); P4 (x4 r y4 ) ; 
PI + PO = P3; 
5 PI - PO = P4; 

then, x3 can speedily be determined from xO, xl 
and x4 by resorting to the elliptic curve of the standard 
form By 2 = x 3 + Ax 2 + Bx in the prime field. In more 
concrete, x 3 can be determined by performing six times the 
10 multiplications of the prime field as follows: 
Presuming that 

(x3, y3) [X 3 ,Z 3 ] and that (x4, y4 ) [X 4 , Z 4 ] , 
then 

x 3 <- ZJ(X 1 - Z,)(X 0 + Z Q ) + (X, + Z,)(X Q - Z 0 )] 2 r 

15 and 

Z 3 <- X A [(X, - Z 1 )(X 0 + Z 0 ) - (X, + Z 1 )(X Q - Z 0 )] 2 , 

Further, for the doubling arithmetic, expres- 
sions mentioned below apply valid: 

P5 = 2P1; (xl, yl) -> [x u Z^; 
20 4X 1 Z 1 «- (X n + Z,,) 2 - (X 1 - Z n ) 2 ; 

X 5 (X, + Z 1 ) 2 (X 1 - Z,) 2 ; Z 5 <- (4X^,5 [(X, - Z,) 2 + 
((A + 2)/4)(4X 1 Z 1 )] 

Furthermore, when the double point of PI is 
given by P5(x5, y5 ) , then x5 can be determined only from 
25 xl by executing relevant multiplication five times. By 
taking advantage of this feature, the x-coordinate of 
scalar multiple (scalar value d) of the point R can be 
determined from Rx, as follows. 




10 
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Presuming that the initial value is given by 
[R, 2R] and that mR represents the x-coordinate of ja 
multiplication of the point R, the scalar value d is 
developed to the binary bit string. Then, starting from 
the most significant bit of d, 

[mR, (m+l)R] -» [2mR, 2(m+l)R] for the bit 

of d = "0", 
and 

[mR, (m+l)R] -» [(2m+l)R, 2(m+l)R] for the bit 

of d = "1" 

Hence 

(m+1 ) R - mR = R, and 
(m+l)R + mR = (2m+l)R. 



Scalar multiplication method according to third 
15 embodiment 

.gures 11A and 11B are flow charts for 
illustrating \he scalar multiplication method in which 
the Montgomery h\ethod is adopted according to the third 
embodiment of the\present invention. Referring to the 
20 figures, it is presumed that a projective coordinate 

component X 0 of the x-roordinate of a given point R and a 
scalar value m are inputtted and that a projective 
coordinate component X m of «\e x-coordinate of a point 
corresponding to m-multiplicati^n of R is to be 
25 outputted. To this end, the scalar value m and the 

projective coordinate component X Q o^ the x-coordinate are 
inputted in the step 1102 shown in Fig\ 11A. In the 
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* succeeding steps 1103 to 1105 , data is stirred through 
multiplication of the individual coordinates in the 
projective coordinate system by the random number. More 
specifically, the random number k is generated in the 
5 step 11193, whereon kX 0 is determined by multiplying the 
projective coordinate component X Q of the x-coordinate by 
the randomyiumber k, and then kX 0 is assigned to X 1 in the 
step 1104 while the random number k being assigned to Z^ 
in the step 1M)5. In succession, [X 1f Z 1 ] is assigned to 

10 [X 4 , Z 4 ] (step il06). Subsequently, [X 1# Z y ] is inputted 
to the doubling iroethod (i.e., Montgomery's doubling 
arithmetic), the oVtput of which is assigned to [X 2 , Z 2 ] 
(step 1107). Further, the scalar value in is transformed 
to the binary bit string h i h i _ 1 ...h 0 (step 1108), where the 

15 most significant bit hAis "1". Thus 1 is assigned to i 
in the step 1109 shown il* Fig. 11B. In a succeeding step 
1110, "i-l" is assigned toy i f which is then followed by a 
step 1111 where [X 1f Z,,], [A, Z 2 ] and [X 4 , Z 4 ] are inputted 
to the addition method (Montgomery's addition 

20 arithmetic), the output of whiVh is assigned to [X 3 , Z 3 ] 
(step 1111). When h. == 0 in the step 1112 (i.e., when 
the decision step 1112 results ift affirmation "Yes"), the 
processing proceeds to a step 1113 while it proceeds to a 
step 1115 when h. — 1, i.e., when\the decision step 1112 

25 results in negation "No". In the step 1113 shown in Fig. 
11B, [X 1# Z^) is inputted to the doubling method 
(Montgomery's doubling arithmetic), the output from which 
is assigned to [X 1f Z^ ] . In the succeeding step 1114, [X 3 , 
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is assigned to [X 2 , Z 2 ], whereon the processing 
proceeds to a step 1117. On the other hand, when the 
decisrsm step 1112 results in "No", [X 2 , Z 2 ] is inputted 
to the dolling method (Montgomery's doubling 
5 arithmetic ) /\the output of which is assigned to [X 2 , Z 2 ] 
(step 1115). Farther, [X 3 , Z 3 ] is assigned to [X 1f Z 1 ] in 
the step 1116, whei^eupon the processing proceeds to a 
step 1117. In the case where i > 0, i.e., the step 1117 
results in "Yes", the s^ep 1110 is resumed. If 

10 otherwise, i.e., when the\tecision step 1117 results in 

"No", the processing proceeds*, to a step 1118 where X 1 /(Z 1 ) 
is assigned to the projective coordinate component X m to 
be ultimately outputted in the step 1119, whereupon the 
processing comes to an end (step 1jS?0). 

15 Through the procedure described above, 

determination of the x-coordinate corresponding to the 
scalar (d) multiplication of a given coordinate (x, y) 
can be realized by executing eleven times the mutually 
different multiplications for each bit of d. Further- 

20 more, by setting for the given x-coordinate the initial 
value for scalar multiplication [kx, k] where k 
represents a random number, the private key information 
can be protected against leakage in terms of the 
deviation information of the d(x, y) processing time. In 

25 addition, this feature indicates that for the DP A 

(Differential Power Analysis) trial for performing the 
cryptanalysis by making use of deviation information 
concerning the of current, voltage, electric power for 
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the encryption processing, the private key information 
can be protected against leakage in terms of the 
deviation information of the current (voltage, electric 
power) involved in processing d(x, y) . 
5 Furthermore, for the elliptic curve y 2 = x 3 + ax 

+ b in the prime field, an elliptic curve may be consti- 
tuted such that the Abelian group defined by the rational 
points between By 2 = x 3 + Ax 2 Bx and y 2 = x 3 + ax + b is 
same, whereon the coordinates (x, y) given by the 

10 elliptic curve y 2 = x 3 + ax + b in the prime field is 

transformed to By 2 = x 3 + Ax 2 Bx, to thereby determine the 
scalar multiplication through the procedure described 
hereinbefore, the result of which is then transformed to 
y 2 = x 3 + ax + b. 

15 Next, description will be directed to a fourth 

embodiment of the present invention. In the case of the 
elliptic curve cryptography according to the first 
embodiment of the invention, it has been presumed that 
[X, Y, Z] = [A 2 X, A 3 Y, XZ] applies valid for the given 

20 projective coordinate > * 0. However, the teachings of 
the present invention can also be implemented with the 
projective coordinate system in which [X, Y, Z] = [XX, 
AY, XZ] applies valid. 

Scalar multiplication method according to fourth 
25 embodiment 

Figures tL2A and 12B are flow charts for 
illustrating the s :alar multiplication method according 
to the fourth embodiment of the present invention. 
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Referring to the figures, it is presumed that a projec- 
tive coordinate component X 0 of the x-coordinate of a 
givei* point R and a scalar value ni are inputted and that 
a projective coordinate component X D of the x-coordinate 
5 of a point corresponding to m-multiplication of R (i.e., 
the point ^corresponding to the product of m and R) is to 
be outputtecl. On the presumption, the scalar value m and 
the projectiv^ coordinate component X 0 of the x-coordinate 
are inputted inv the step 1202 shown in Fig. 12A. In the 

10 succeeding steps\l203 to 1205, data is stirred through 
multiplication of Vhe individual projective coordinates 
by the random numbek. More specifically, the random 
number k is generated\ in the step 1203, whereon kX 0 is 
determined by multiplying the projective coordinate 

15 component X Q of the x-coordinate by the random number k, 
and then kX Q is assigned t<D in the step 1204 while the 
random number k itself being assigned to Z 1 in the step 
1205. In succession, [X 1f zA is assigned to [X 4 , Z 4 ] 
(step 1206). Subsequently, [A, Z 1 ] is inputted to the 

20 doubling arithmetic, the output\of which is assigned to 
[X 2 , Z 2 ] (step 1207). Further, the scalar value m is 
transformed to the binary bit string h i h i _ 1 ...h Q (step 
1208), where the most significant Wt Iv, is "1". Thus, 
"1" is assigned to i in the step 12D9 shown in Fig. 12B. 

25 In a succeeding step 1210, "i-l" is assigned to i, which 
is then followed by a step 1011 where [X 1# Z 1 ] r [X 2 , Z 2 ] 
and [X A , Z 4 ] are inputted to the addition arithmetic, the 
output of which is assigned to [X 3 , Z 3 ]\. When h i == "0" in 
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the step 1212 (i.e., when the decision step 1212 results 
irv affirmation "Yes"), the processing proceeds to a step 
12 ljt while it proceeds to a step 1215 when h i == "1", 
i.e. A when the decision step 1212 results in negation 
5 "No". \ln the step 1213 shown in Fig. 12B, [X v ZJ is 
inputteckto the doubling arithmetic, the output from 
which is assigned to [X.,, Z^ ] . In the succeeding step 
1214, [X 3 , 2^] is assigned to [X 2 , Z 2 ], whereon the 
processing prbceeds to a step 1217. On the other hand, 

10 when the decision step 1212 results in "No", [X 2 , Z 2 ] is 
inputted to the \doubling arithmetic, the output of which 
is assigned to [X^ Z 2 ] (step 1215). Further, [X 3 , Z 3 ] is 
assigned to [X 1f zA in the step 1216, whereupon the 
processing proceeds to a step 1217. In the case where 

15 i > 0, i.e., when the\step 1217 results in "Yes", the 
step 1210 is resumed, uf otherwise, i.e., when the 
decision step 1217 results in "No", the processing 
proceeds to a step 1218 where X 1 /(Z 1 ) is assigned to the 
projective coordinate component X m to be ultimately 

20 outputted in the step 1219, whereupon the processing 
comes to an end (step 1220). \ 

It is presumed that in conjunction with the 
projective space coordinate of a point on the elliptic 
curve, it applies valid that [X, Y, Z] = [kx, AY, XZ ] for 

25 a given X * 0 . At this juncture, let's consider points 
P0 = (xO, yO) = [X 0 , Y 0 , Z 0 ] and PI = (xl, yl) = 
[X 1f Y 1 , Z 1 ] as the points on the elliptic curve. 
Additionally, it is presumed that the sum and the 




- 46 - 

difference of the points PO and PI are given by P3 = 
(x3, y3) = [X 3 , Y 3 , Z 3 ] and P4 = (x4, y4 ) = [X 4 , Y 4 , ZJ , 
respectively . 

Namely, 

5 PI + PO = P3 f and 

PI - PO = P4 

Subsequently, relations in the projective 
coordinate system are derived from the expression (1) 
mentioned hereinbefore in conjunction with the first 
10 embodiment of the invention, i.e., x3 + x4 = (xO xl) / 
(xO + xl) 2 . 

Replacing xl and xO appearing in the expression 
(1) by X 1 /Z 1 and X Q /Z 0 , respectively, then 

X3/Z3 = X 4 /Z A + ((X 0 /Z 0 )(X 1 /Z 1 ))/(X 0 /Z 0 + X./Z^ 2 
15 = X 4 /Z 4 + ((X 0 Z 0 )(X 1 Z 1 ))/(X 0 Z 1 + X,Z Q ) 2 

= ((X 4 P 2 ) + Z, (X 0 Z 0 )(X 1 Z 1 ))/(Z 4 P 2 ) 
where (5 = X Q Z 1 + X^g. 

From the above expression, there can be 

derived: 

20 X 3 = X,f3 2 + Z A (X Q Z,)(X,Z 0 ) ... (2)' 

Z 3 = Z A p 2 ... (3) ' 



On the presumption that mR = [X 1f Y 1 , Z 1 ] / (m 
+ 1)R = [X 2 , Y 2 , Z 2 ], R = [X 4 , Y 4 , ZJ and (2m + 1)R = [X 3 , 
Y 3 , Z 3 ], an addition method according to the fourth 
25 embodiment of the present invention will be elucidated 
below. 
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Addition method according to fourth embodiment 

figure 13 is a flow chart for illustrating an 
addition method according to the fourth embodiment of the 
present invention . It is assumed that projective 
5 coordinates [xA Z 1 ] , [X 2 , Z 2 ] and [X 4 , Z 4 ] are inputted, 
whereby [X 3 , Z 3 ] 6r the point at infinity is outputted. 
Thus, projective coordinates [X 1# Z 1 ] # [X 2 , Z 2 ] and [X 4 , Z 4 ] 
are inputted in a step 1302. Subsequently, X 1 Z 2 is 
assigned to S 1 in a s\tep 1303. Further, X 2 Z 1 is assigned 

10 to S 2 in a step 1304, whereon S 1 + S 2 is assigned to B in a 
step 1305. When B == o\in a step 1306 (i.e., when deci- 
sion in the step 1306 results in "Yes"), the processing 
proceeds to a step 1307. \lf otherwise (i.e., when the 
decision in the step 1306 Aesults in "No), the processing 

15 proceeds to a step 1308. In the step 1307, the point at 
infinity is outputted, and tlaen a step 1313 is executed. 
On the other hand, when the decision step 1306 results in 
"No", Z A B 2 is assigned to Z 3 in\a step 1308. Further, 
(Z 4 ) 2 S 1 S 2 is assigned to S in a step 1309, Subsequently, 

20 X 4 B 2 is assigned to M in a step 1310 while M + S is 
assigned to X 3 in a step 1311, whereon [X 3 , Z 3 ] is 
outputted in a step 1312. \ 

Through the procedure described above, the 
addition arithmetic can be realized by executing six 

25 times the multiplication of mutually different variables. 

Next, description will turn to the doubling 
method. Let's represent a double point of PI by P2 and 
presume that PI = (xl, yl) = [X 1f Y 1 , Z 1 ] and P2 = (x2, y2 ) 
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= [X 2 , Y 2 , Z 2 ] . The doubling expression is given by 
x2 = (xl) 2 + b/(xl) 2 . Accordingly, in the doubling 
arithmetic formulae x2 = (xl) 2 + b/(xl) 2 , xl is replaced 
by X 1 /Z 1 with x2 being replaced by X 2 /Z 2 . 
5 Namely, 

X 2 /Z 2 = (X/Z^ 2 + b/fX/Z^ 2 

= X*/{Zi) 2 + (bZ 1 2 )/(X 1 ) 2 
= (V + b(Z 1 ) 8 )/(X 1 2 Z 1 2 ) 
Thus, there can be derived the following 

10 relations . 

X 2 = X/ + bZ^ . . . (4) 

Z 2 = X^ 2 Z^ 2 • • • ( 5 ) 

The doubling method based on the expressions 
mentioned above will be described below. 
15 Doubling method according to fourth embodiment 

Figure 14 is a flow chart for illustrating a 
doubling method according to the fourth embodiment of the 
invention. It i\ presumed that Q = [X 1# Z 1 ] and b are 
inputted for thereby outputting 2Q = [X 2 , Z 2 ] or the point 
20 at infinity. More specifically, [X,,, Z n ] and b are 

inputted in a step 1402^ When X 2 0 or Z 2 == 0 (i.e., 
when the decision in the Vtep 1403 results in "Yes"), the 
processing proceeds to a stop 1404. If otherwise (i.e., 
when the decision step 1403 results in "No"), the 
25 processing proceeds to the step N^405. In the step 1404, 
the point at infinity is outputted\ In the step 1405, Z 1 2 
is assigned to Z 2 . In the step 1406, Xx^S is assigned to 
S. In the step 1407, X^ + bS is assigfted to X 2 , which is 
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5 




Through the procedure described above, 



determination of the x-coordinate corresponding to the 
scalar (d) multiplication of given coordinates (x, y) can 
be realized by executing eight times the multiplication 
processing for each bit of d. Furthermore/ by setting 

10 [kx, k] for the given x-coordinate as the initial value 
for the scalar multiplication, where k represents a 
random number, the private key information can be 
protected against leakage in terms of the deviation 
information of the d(x, y) processing time. Further, 

15 this feature indicates that in the DPA (Differential 
Power Analysis) for realizing the cryptanalysis , the 
private key information can also be prevented from 
leakage as the deviation (or difference) information of 
the current (voltage, electric power) involved in the 

20 processing of d(x, y) . 



embodiment of the present invention. In the case of the 
elliptic curve cryptography according to the second 
embodiment of the invention, it has been presumed that 
25 [X, Y, Z] = [A 2 X, A 3 Y, A.Z] applies valid for the given 

projective coordinate X * 0 . However, the teachings of 
the present invention can also be implemented with the 
projective coordinate system in which [X, Y, Z] = [AX, 



Next, description will be directed to a fifth 
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AY , AZ] applies valid. 

When the transformation from the affine 
coordinates to the projective coordinates can be given by 
(x, y) -» [x, y, 1], then it applies valid that Z A = 1 . 
5 Scalar multiplication method according to fifth 
embodiment 

Figures 15A and 15B are flow charts for 
illustrating the scalar multiplication method according 
to the fifth embodiment of the present invention. 

10 Referring to the figures, it is presumed that a 

projective coordinate component X 0 of the x-coordinate of 
a given point R and a scalar value m are inputted and 
that a projective coordinate component X m of the 
x-coordinate of a point corresponding to m-multiplication 

15 of R (i.e., the point corresponding to the product of m 
and R) is to be outputted. On the presumption, the 
scalar value in and the projective coordinate component X 0 
of the x-coordinate are inputted in the step 1502 shown 
in Fig. 15A. X 0 is assigned to X 1 in the step 1504. In a 

20 succeeding step 1505, "1" is assigned to Z 1 . In succes- 
sion, [X 1 , Z 1 ] is assigned to [X 4 , Z 4 ] in a step 1506. 
Subsequently, [X 1f Z 1 ] is inputted to the doubling 
arithmetic, the output of which is assigned to [X 2 , Z 2 ] 
(step 1507). Further, the scalar value m is transformed 

25 to the binary bit string h i h i _ 1 ...h 0 (step 1508), where the 
most significant bit h 1 is "1". Thus, "1" is assigned to 
L in the step 1509 shown in Fig. 15B. In a succeeding 
step 1510, " i-l" is assigned to i, which is then followed 
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by a step 1511 where [X 1f Z 1 ], [X 2 , Z 2 ] and 2 4 are inputted 
to the addition arithmetic, the output of which is 
assigned to [X 3 , Z 3 ] . When h i — "0" in the step 1512 
(i.e., when the decision step 1512 results in affirmation 
5 "Yes"), the processing proceeds to a step 1513 while it 
proceeds to a step 1515 when h i == "1", i.e., when the 
decision step 1512 results in negation "No". In the step 
1513 shown in Fig. 15B, [X ir Z 1 ] is inputted to the 
doubling arithmetic, the output from which is assigned to 

10 [X 1f Z n ]. In the succeeding step 1514, [X 3 , Z 3 ] is 

assigned to [X 2 , Z 2 ], whereon the processing proceeds to a 
step 1517. On the other hand, when the decision step 
1512 results in "No", [X 2 , Z 2 ] is inputted to the doubling 
arithmetic, the output of which is assigned to [X 2 , Z 2 ] 

15 (step 1515). Further, [X 3 , Z 3 ] is assigned to [X ir Z 1 ] in 
the step 1516, whereupon the processing proceeds to the 
step 1517. When i > 0 in the step 1517, i.e., when the 
step 1517 results in "Yes", the step 1510 is resumed. If 
otherwise, i.e., when the decision step 1517 results in 

20 "No", the processing proceeds to a step 1518 where X 1 /(Z 1 ) 
is assigned to the projective coordinate component X m 
which is ultimately outputted in the step 1519, whereupon 
the processing comes to an end (step 1520). 
Addition method according to fifth embodiment 
5 Figure 16 is a flow chart for illustrating an 

addition method according to the fifth embodiment of the 
present invention. It is assumed that projective 
coordinates [X 1f fO' £ X 2 f Z 2^ and X 4 are inputted, whereby 
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pXj, Z 3 ] or the point at infinity is outputted. Thus, 
protective coordinates [X 1f Z 1 ] , [X 2 , Z 2 ] and X 4 are 
inputted in a step 1602. In the succeeding step 1603, 
X,,Z 2 is ^assigned to S 1 . Further, X 2 Z 1 is assigned to S 2 in 
5 a step 16^)4 with S 1 + S 2 being assigned to B in a step 

1605. Wherv\B == 0 in a step 1606 (i.e., when decision in 
the step 1606y results in "Yes"), the processing proceeds 
to a step 1607\ If otherwise (i.e., when decision in the 
step 1606 results; in "No) , the processing proceeds to a 

10 step 1608. In the\step 1607, the point at infinity is 

outputted, whereon am end step 1613 is executed. On the 
other hand, unless bV 0 in the step 1606, B 2 is assigned 
to Z 3 . In the succeeding step 1608, S 1 S 2 is assigned to S. 
Further, (X 4 Z 3 ) is assigned to M in a step 1610 while 

15 M + S is assigned to X 3 in a step 1611. Finally, [X 3 , Z 3 ] 
is outputted in a step 1612. Through the procedure 
described above, the additioai arithmetic can be realized 
by executing four times the multiplication of mutually 
different variables. Parenthetically, as the doubling 

20 arithmetic according to the instant embodiment of the 

invention, the doubling arithmetic described hereinbefore 
can be adopted. Additionally, the* method incarnated in 
the instant embodiment can also find application not only 
to the arithmetic with the elliptic \curve in the finite 

25 field of characteristic 2 but also t© the arithmetic with 
the elliptic curve in the prime fieldw 
Sixth embodiment 

Next, description will be made of the elliptic 
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curve arithmetic unit according to a sixth embodiment of 
the present invention. Figure 9 is a functional block 
diagram showing schematically a structure of the elliptic 
curve arithmetic unit according to the sixth embodiment 
5 of the present invention. In the figure, reference 
numeral 901 denotes generally an elliptic curve 
arithmetic unit which corresponds to the one shown in 
Fig. 1 and designated by the reference numeral 109. 
Referring to Fig. 9, inputted to the elliptic curve 

10 arithmetic unit 901 are x-coordinate X 0 of a given point , 
a scalar value m and a parameter b of the elliptic curve 
of the standard form given by y 2 + xy = x 3 + ax 2 + b in the 
finite field of characteristic 2 (extension field of 
"2"), as indicated by an arrow 902 , whereby x-coordinate 

15 X m of a point corresponding to m-multiplication of above- 
mentioned given point is outputted from the elliptic 
curve arithmetic unit 901, as indicated by an arrow 903. 
At this juncture, it should however be mentioned that 
although the instant embodiment of the invention is 

20 described in conjunction with the elliptic curve in the 
finite field of characteristic 2, the invention can 
equally be implemented with the elliptic curve in the 
prime field. 

The elliptic curve arithmetic unit 901 includes 
25 a random number generation module 904 for generating a 

random number k tio be outputted, as indicated by an arrow 
905. The random number k generated by the random number 
generation module ©04 is inputted to a projective 
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V:oordinate transformation module 906 together with the 
x-boordinate X 0 , the scalar value m and the parameter b 
although they are not shown in Fig. 9, to be thereby 
transformed to the projective coordinates [kX 0 , k], which 
5 is then assigned to [X 1# Z 1 ]. The projective coordinate 
[X v Z n ] and\the scalar value m are inputted to a scalar 
multiplication, module 908, whereby a point given by [X 1f 
Z^] multiplied by m is determined. Thus, the x-coordinate 
X m of the point ak determined is outputted from the scalar 

10 multiplication module 908. In the scalar multiplication 
module 908, [X,,, Z 1 ] Vs first assigned to [X A , Z 4 ] which 
may be previously stored in a memory incorporated, for 
example, in the scalar multiplication module. Further, 
the projective coordinates [X 1f Z^] are supplied to a 

15 doubling arithmetic moduli 913 for determining a double 
point [X 2 , Z 2 ] . Subsequently, m is developed to a binary 
bit string. Every time the bit assumes "0", starting 
from the more significant bit,\ [X ir Z 1 ] is supplied to the 
doubling arithmetic module 913,\whereon the double point 

20 outputted from the doubling arithmetic module 913 is 
assigned to [X 1f 2 1 ]. Subsequent!^ projective 
coordinates [X 1# Z 1 ] , [X 2 , Z 2 ] and [A, Z A ] are inputted to 
an addition arithmetic module 910, and the addition point 
outputted from the addition arithmetic module 910 is 

25 assigned to [X 2 , Z 2 ] . On the other harra, when the bit is 
" 1" , the projective coordinates [X 2 , Z 2 i are outputted to 
the doubling arithmetic module 913, wheieon the double 
point outputted from the doubling arithmetic module 913 
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is asssigned to [X 2 , Z 2 ] . Subsequently, the projective 
coordinates [X v Z n ] , [X 2 , Z 2 ] and [X 4 , Z 4 ] are inputted to 
the addition^arithmetic module 910, and the addition 
point outputted\f rom the addition arithmetic module 910 
5 is assigned to [xV Z 1 ]. Thus, there is derived the 
X m -coordinate of the^ m-tuple point. 

Inputted to the addition arithmetic module 910 
is [X ir Z n ], [X 2 , Z 2 ], [X 4 , Z 4 ] for arithmetically 
determining [X 3 , Z 3 ] which satisfies the conditions that 

10 [X 3 , Z 3 ] = [X 2 , Z 2 ] + [X v Z^ and that [X A , ZJ = [X 2 , Z 2 ] - 
[X 1f - Z,,]. The coordinates [X 3 , Z 3 ] are then outputted from 
the addition arithmetic module 910. 

More specifically, assigning arithmetics 
S,, «- X 1 Z 2 2 / S 2 <- X 2 Z n 2 and B <- S 1 + S 2 are first executed, 

15 When B == 0, the point at infinity is outputted, 

whereupon the processing comes to an end. Unless B = 0, 
assigning arithmetics Z 3 <- Z 4 B, S <- Z 4 2 S 1 S 2 , M «- X 4 Z 3 2 and 
X 3 «- M + S are executed. 

Inputted to the doubling arithmetic module 913 

20 are [X^, Z^] and b for arithmetically determining the 

coordinates [X 2 , Z 2 ] which satisfy the conditions that [X 2 , 

Z 2 1 = t x i' z il + f x v z i3* The coordinates [X 2 , Z 2 ] are then 
outputted from the doubling arithmetic module 913. In 
the case where X n == 0 or Z n == 0, the point at infinity 
25 is outputted. If otherwise, assigning arithmetics 
S <- Z^, Z 2 «- X^ and X 2 «- X^ + b(S)* are executed. 

In the case of the embodiment described above, 
it has been assumed that the x-coordinate X Q is 
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transformed to the projective coordinates [kX 0 , k] . 
However, it goes without saying that the teachings of the 
present invention can equally be applied to the 
transformation of the x-coordinate X 0 to the projective 
5 coordinates [k 2 X 0 , k] . 

Finally, it should be added that the methods 
according to the embodiments of the invention described 
in the foregoing can be stored in a recording medium in 
the form of a program or programs executable with a 

10 computer without departing from the spirit and scope of 
the present invention. 

As will be appreciated from the foregoing 
description, the elliptic curve encryption processing can 
be executed at a significantly increased speed according 

15 to the teachings of the invention when compared with the 
conventional cryptograph technologies. Furthermore, by 
virtue of such arrangement that the processing time for 
d(x, y) does not depend on the bit pattern of d in 
realization of the elliptic curve cryptography, the 

20 private key information can be protected against leakage 
from or in terms of the deviation information. 

Many modifications and variations of the 
present invention are possible in the light of the above 
techniques. It is therefore to be understood that within 

25 the scope of the appended claims, the invention may be 
practiced otherwise than as specifically described. 



